Distributed Cryptographic Management for Computer Systems

1. A key management agent implemented on a client machine associated with a central key management system, the key management agent configured to: implement on the client machine a key management registration file that contains cryptographic key definitions regarding allowed or configured keys, each key comprising a public and private key pair; obtain from the key management registration file the cryptographic key definitions for the allowed or configured keys; based on the cryptographic key definitions, permit generation at the client machine of any of the allowed or configured keys; permit requests to the central key management system for a plurality of digital certificates, each digital certificate corresponding to one of the allowed or configured keys; implement a keystore for storing a plurality of the allowed or configured keys and digital certificates at the client machine; protect the stored keys and digital certificates at the client machine; monitor the status of the keystore for any of expiration and corruption; send regular status information to the central key management system; and request for renewal for any of the allowed or configured digital certificates.

2. The key management agent of claim 1 , wherein the request for renewal is based on a pre-assigned schedule.

3. The key management agent of claim 2 , wherein the pre-assigned schedule is determined by one or more rules provided the central key management system.

4. The key management agent of claim 1 , wherein the key management agent is downloadable to the client machine if the client machine is accepted as a legitimate object to the central key management system domain.

5. The key management agent of claim 1 , wherein the client machine is required to be approved as a legitimate object to the central key management system domain.

6. The key management agent of claim 5 , wherein the approval is controllable by an approving entity.

7. The key management agent of claim 6 , wherein the approving entity comprises any of the administrator and an approver authorized by the administrator.

8. The key management agent of claim 1 , wherein the administrator controls any of key deletion, key revocation, key suspension, and key reissue.

9. The key management agent of claim 1 , wherein records pertaining to key management are available to an auditor associated with a key management domain of one or more client machines enabled by the administrator.

10. The key management agent of claim 1 , wherein the administrator provides information to the central key management system for any of client machine information, user information, agent profile information, enrollment information, key information, and certificate information.

11. The key management agent of claim 10 , wherein the information is provided through an online form.

12. The key management agent of claim 1 , wherein the central key management system presents system configuration options to the administrator, the configuration options comprising any of key request, key maintenance, regular status, notification, alerts, and actions.

13. The key management agent of claim 1 , wherein the central key management system collects status data from the application agent.

14. The key management agent of claim 1 , wherein the collected data is presented to any of registrars, administrators, and auditors.

15. The key management agent of claim 1 , wherein the collected data is presented through a configured report.

16. The key management agent of claim 1 , wherein status information of the key management agent is sent to any of a help desk and a monitoring center.

17. The key management agent of claim 16 , wherein the status information sent is based on alert mechanism.

18. The key management agent of claim 1 , wherein the means for protecting the stored keys or digital certificates at the client machine comprises one or more passphrase elements.

19. The key management agent of claim 18 , wherein the passphrase elements are unique to any of the device and the central key management system.

20. The key management agent of claim 18 , wherein the passphrase elements are unique to both the device and the central key management system.

21. A process implemented on a client machine that acts under authority of an administrator external to the client machine, the administrator associated with a central key management service, comprising the steps of: obtaining, from a key management registration file installed on the client machine, cryptographic key definitions regarding allowed or configured keys, each key comprising a public and private key pair; using the cryptographic key definitions, generating any of a plurality of the allowed or configured keys; permitting requests to a central key management system for a plurality of digital certificates, each digital certificate corresponding to one of the allowed or configured keys; storing a plurality of the allowed or configured keys and digital certificates within a keystore at the client machine; protecting the stored keys and digital certificates in the keystore; monitoring the status of the keystore for any of expiration and corruption of any of the allowed or configured keys or digital certificates; sending regular status information to the central key management system; and requesting renewal of the allowed or configured keys or digital certificates at pre-assigned schedule based on rules provided by the central key management system.

22. The process of claim 21 , wherein the protection of the keystore is assigned in accordance with a subject key profile stored on the central key management service.

23. The process of claim 21 , wherein the protection of the keystore comprises standard file protection as available on the client machine.

24. The process of claim 23 , wherein the protection of the keystore further comprises encrypted storage in a file using a key derived from a selection of one or more of a set of data elements unique to the client machine on which the key is physically located.

25. The process of claim 24 , wherein the protection of the keystore further comprises an agent key value uniquely associated with the agent installed on the client machine.